With the multitude of different compliance efforts an organization could be subjected to, it is not uncommon to hear confusion on what may or may not apply. What compliance regulations does the organization fall under? What must the organization do to meet a specific compliance effort and not conflict with a separate one? How can the organization know it is meeting required compliance controls? Can anything be done to reduce the amount of work needed to meet these objectives? The answers lay in the details of the many controls of each of these efforts and the ability of technology practitioners to find commonalities that will ease redundant testing. By reviewing each of the compliance frameworks, technologists can define a set of generic controls such that when a control is met for one objective it can meet additional objectives in other compliance frameworks.

The creation of the Mother of all Control Lists (MOACL) is a one-to-many relationship between a general control and varying compliance controls. The project has resulted in a spreadsheet that can be modified to any sized organization to assist in understanding where compliance teams can focus evidence gathering and coverage needed to meet applicable standards.

The current version of the MOACL has added GDPR and the CPPA.

Previous MOACL Version can be found here

http://timproffitt.com/?attachment_id=123